DNS resolution is very slow!

Brian McGrew · Guest

Hello all!

I've got a problem where DNS is very slow to resolve internal and external
hostnames.

A quick overview of my network... A cable modem coming in going directly
into a firewall and the firewall is plugged directly into the network.

I've got 3 DNS servers.

1) Windows 2K8 on Vmware ESXi v3.5
2) Windows 2K3 on IBM x3400
3) Windows 2K3 on Dell 1900

I have a single active directory domain with about 10 hosts, nothing fancy
at all. There is no errors in the DNS or other event logs that I can find.
But there is an intermittent failure somewhere. Sometimes it's perfectly
fine, other times it can take over a minute to resolve internal or external
hostnames.

All three DNS servers are configured on all the hosts and they're in
different orders on each host just to make sure it's not one server flaking
out showing all the problems. I've also individually isolated a single DNS
to each host just to make sure there's nothing funny going on when selecting
which DNS server to ask. I also do not an can not use forwarders because my
cable company does DNS spoofing so http://www.nonexistantdomain.com goes to
their server and causes a major problem for me when I'm on the VPN with
work.

I'm reasonably certain this isn't a firewall issue since I can get out by IP
address at a normal and expected speed.

So, I ask the community, where should I be lookg and what should I be
looking for in tracking down why DNS resolution is so slow??? I come from
many years of DNS on Unix using Bind and I'm quite new to Windows DNS.

Thanks!

-b

Marcin · Guest

Brian,
how exactly do you handle external DNS resolution? What's the client
configuration of your DNS servers?
How did you determine that the problems you are experiencing are actually
caused directly by DNS (do you actually see a delay when running nslookup
against your internal DNS servers)?

hth
Marcin

"Brian McGrew" <brian@visionpro.com> wrote in message
news:C6D5659B.1404D%brian@visionpro.com...

Quote:

Hello all!

I've got a problem where DNS is very slow to resolve internal and external
hostnames.

A quick overview of my network... A cable modem coming in going directly
into a firewall and the firewall is plugged directly into the network.

I've got 3 DNS servers.

1) Windows 2K8 on Vmware ESXi v3.5
2) Windows 2K3 on IBM x3400
3) Windows 2K3 on Dell 1900

I have a single active directory domain with about 10 hosts, nothing fancy
at all. There is no errors in the DNS or other event logs that I can
find.
But there is an intermittent failure somewhere. Sometimes it's perfectly
fine, other times it can take over a minute to resolve internal or
external
hostnames.

All three DNS servers are configured on all the hosts and they're in
different orders on each host just to make sure it's not one server
flaking
out showing all the problems. I've also individually isolated a single
DNS
to each host just to make sure there's nothing funny going on when
selecting
which DNS server to ask. I also do not an can not use forwarders because
my
cable company does DNS spoofing so http://www.nonexistantdomain.com goes
to
their server and causes a major problem for me when I'm on the VPN with
work.

I'm reasonably certain this isn't a firewall issue since I can get out by
IP
address at a normal and expected speed.

So, I ask the community, where should I be lookg and what should I be
looking for in tracking down why DNS resolution is so slow??? I come from
many years of DNS on Unix using Bind and I'm quite new to Windows DNS.

Thanks!

-b

Brian McGrew · Guest

Yup, I see delays when running nslookup.

My servers are configured to use themselves for DNS lookup and then the
clients are configured to use those server for DNS lookups. Clients are 7,
XP, MacOS and Linux. All exhibit the same problems.

-b

On 9/15/09 5:03 PM, in article #WbUmEmNKHA.1268@TK2MSFTNGP04.phx.gbl,
"Marcin" <marcin@community.nospam> wrote:

Quote:

Brian,
how exactly do you handle external DNS resolution? What's the client
configuration of your DNS servers?
How did you determine that the problems you are experiencing are actually
caused directly by DNS (do you actually see a delay when running nslookup
against your internal DNS servers)?

hth
Marcin

"Brian McGrew" <brian@visionpro.com> wrote in message
news:C6D5659B.1404D%brian@visionpro.com...
Hello all!

I've got a problem where DNS is very slow to resolve internal and external
hostnames.

A quick overview of my network... A cable modem coming in going directly
into a firewall and the firewall is plugged directly into the network.

I've got 3 DNS servers.

1) Windows 2K8 on Vmware ESXi v3.5
2) Windows 2K3 on IBM x3400
3) Windows 2K3 on Dell 1900

I have a single active directory domain with about 10 hosts, nothing fancy
at all. There is no errors in the DNS or other event logs that I can
find.
But there is an intermittent failure somewhere. Sometimes it's perfectly
fine, other times it can take over a minute to resolve internal or
external
hostnames.

All three DNS servers are configured on all the hosts and they're in
different orders on each host just to make sure it's not one server
flaking
out showing all the problems. I've also individually isolated a single
DNS
to each host just to make sure there's nothing funny going on when
selecting
which DNS server to ask. I also do not an can not use forwarders because
my
cable company does DNS spoofing so http://www.nonexistantdomain.com goes
to
their server and causes a major problem for me when I'm on the VPN with
work.

I'm reasonably certain this isn't a firewall issue since I can get out by
IP
address at a normal and expected speed.

So, I ask the community, where should I be lookg and what should I be
looking for in tracking down why DNS resolution is so slow??? I come from
many years of DNS on Unix using Bind and I'm quite new to Windows DNS.

Thanks!

-b

Guest · Guest Posts Location

Ace Fekay [MCT] · Guest

"Brian McGrew" <brian@visionpro.com> wrote in message
news:C6D5A5DA.1407F%brian@visionpro.com...

Quote:

Yup, I see delays when running nslookup.

My servers are configured to use themselves for DNS lookup and then the
clients are configured to use those server for DNS lookups. Clients are
7,
XP, MacOS and Linux. All exhibit the same problems.

-b

What FQDN are you testing with when using nslookup?

If you run nslookup with the "set vc" option, does it still show delays?
(This option forces nslookup to use TCP instead of the default UDP then TCP
if the response is greater than 1280 bytes using EDNS0, and if not, 512
bytes).

I assume you have a mix of DNS servers. If using AD, I assume the AD zone is
on the DCs and you have secondaries elsewhere. Or are you using conditional
forwarding? Do all of your DNS servers host the same zones, or do they host
different zones?

As for forwarding, is forwarding configured between all of your DNS servers
or do they simply use the Roots for outside resolution? If there's
forwarding between them, it could cause a forwarding loop.

You can safely forward to 4.2.2.2 and 4.2.2.3.

Any event log errors in the DC or other DNS servers?

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

Brian McGrew · Guest

Quote:

If you run nslookup with the "set vc" option, does it still show delays?
(This option forces nslookup to use TCP instead of the default UDP then TCP
if the response is greater than 1280 bytes using EDNS0, and if not, 512
bytes).
-----

All of my servers are hosting a single internal domain. When I do nslookup
with the set vc option, it does seem quite a bit faster. In looking up
random domain names that I've never been to before, I set "Got recursion not
available from 192.168.1.246, trying next server" and the same error from
192.168.1.247. However, 192.168.1.239 (Win2K3) is successful and gives me
the IP. This is the case with many domains I've looked up so far.

Does that indicate a problem with .246 and .247??? .246 is Win2K3 and .247
is Win2K8.

Quote:

I assume you have a mix of DNS servers. If using AD, I assume the AD zone is
on the DCs and you have secondaries elsewhere. Or are you using conditional
forwarding? Do all of your DNS servers host the same zones, or do they host
different zones?
-----

All three of my machines are DC's, two are on physical hardware, one is a
vm. All are running DNS with an AD zone, there is a single forward zone and
a single reverse zone.

Quote:

As for forwarding, is forwarding configured between all of your DNS servers
or do they simply use the Roots for outside resolution? If there's
forwarding between them, it could cause a forwarding loop.

You can safely forward to 4.2.2.2 and 4.2.2.3.
-----

Right now I'm not doing forwarding because charter hijacks DNS on unfound
domains or hosts. I'm going directly to root. Should I be???

Quote:

Any event log errors in the DC or other DNS servers?
-----

The DNS server was unable to complete directory service enumeration of zone
toxicescrow.com. This DNS server is configured to use information obtained
from Active Directory for this zone and is unable to load the zone without
it. Check that the Active Directory is functioning properly and repeat
enumeration of the zone. The extended error debug information (which may be
empty) is "". The event data contains the error.

And

The DNS server was unable to complete directory service enumeration of zone
1.168.192.in-addr.arpa. This DNS server is configured to use information
obtained from Active Directory for this zone and is unable to load the zone
without it. Check that the Active Directory is functioning properly and
repeat enumeration of the zone. The extended error debug information (which
may be empty) is "". The event data contains the error.

Are both from a few days ago. And I've got this from yesterday evening:

The DNS server has encountered a critical error from the Active Directory.
Check that the Active Directory is functioning properly. The extended error
debug information (which may be empty) is "". The event data contains the
error.

Thanks for the help!

-b

Ace Fekay [MCT] · Guest

"Brian McGrew" <brian@visionpro.com> wrote in message
news:C6D65612.14153%brian@visionpro.com...

Quote:

If you run nslookup with the "set vc" option, does it still show delays?
(This option forces nslookup to use TCP instead of the default UDP then
TCP
if the response is greater than 1280 bytes using EDNS0, and if not, 512
bytes).
-----
All of my servers are hosting a single internal domain. When I do
nslookup
with the set vc option, it does seem quite a bit faster. In looking up
random domain names that I've never been to before, I set "Got recursion
not
available from 192.168.1.246, trying next server" and the same error from
192.168.1.247. However, 192.168.1.239 (Win2K3) is successful and gives me
the IP. This is the case with many domains I've looked up so far.

Does that indicate a problem with .246 and .247??? .246 is Win2K3 and
.247
is Win2K8.

I assume you have a mix of DNS servers. If using AD, I assume the AD zone
is
on the DCs and you have secondaries elsewhere. Or are you using
conditional
forwarding? Do all of your DNS servers host the same zones, or do they
host
different zones?
-----
All three of my machines are DC's, two are on physical hardware, one is a
vm. All are running DNS with an AD zone, there is a single forward zone
and
a single reverse zone.

As for forwarding, is forwarding configured between all of your DNS
servers
or do they simply use the Roots for outside resolution? If there's
forwarding between them, it could cause a forwarding loop.

You can safely forward to 4.2.2.2 and 4.2.2.3.
-----
Right now I'm not doing forwarding because charter hijacks DNS on unfound
domains or hosts. I'm going directly to root. Should I be???

Any event log errors in the DC or other DNS servers?
-----
The DNS server was unable to complete directory service enumeration of
zone
toxicescrow.com. This DNS server is configured to use information
obtained
from Active Directory for this zone and is unable to load the zone without
it. Check that the Active Directory is functioning properly and repeat
enumeration of the zone. The extended error debug information (which may
be
empty) is "". The event data contains the error.

And

The DNS server was unable to complete directory service enumeration of
zone
1.168.192.in-addr.arpa. This DNS server is configured to use information
obtained from Active Directory for this zone and is unable to load the
zone
without it. Check that the Active Directory is functioning properly and
repeat enumeration of the zone. The extended error debug information
(which
may be empty) is "". The event data contains the error.

Are both from a few days ago. And I've got this from yesterday evening:

The DNS server has encountered a critical error from the Active Directory.
Check that the Active Directory is functioning properly. The extended
error
debug information (which may be empty) is "". The event data contains the
error.

Thanks for the help!

-b

If you are getting 'recursion not available, that could indicate you've
disabled recursion under the Advanced tab in DNS properties. Was that
disabled?

If TCP (set vc option) is working, it may indicate a UDP 53 block somewhere.
This is indicative of the slow response without it, because it tries UDP
first, then TCP, so the time delay would make sense.

Check your routers, too. If you are not using forwarding (which I suggest),
then it means DNS is using the Roots, and your DNS servers use EDNS0 by
default (UDP to 1280 bytes, then TCP), and if the firewall/router does not
support EDNS0, or has not been enabled, then I can understand why you are
having these issues. Check your firewall docs for more info. Also try the
forwarders I mentioned, which bypasses the Roots and directly queries to
those servers, which offloads the recursion process from your DNS servers to
the forwarders.

As for the event log errors, it would have been helpful to post the EventID#
(I'm trying to remember the eventID#), but I think you are referring to
EventID# 4004, source name = "DNS." If so, it may be indicative of the DCs'
DNS settings being misconfigured.
http://eventid.net/display.asp?eventid=4004&eventno=334&source=DNS&phase=1

For DCs, it is suggested to point to itself first for DNS, then a partner
replica DC as the second DNS entry. Never use an external DNS, ISP's, the
router (some folks actually do that), or another DNS that does not host the
AD zone name, unless it has some sort of reference to it (stubs, conditional
forwarding or secondaries).

Others errors that can cause this:
Multihomed DCs (more than one NIC and/or IP address).
RRAS running on a DC (makes it a multihomed DC).
Single label name AD DNS domain name ('domain' vs the minimal recommended
form of 'domain.something').
AV or security software and the AD database and other data have not been
excluded (NTDS and SYSVOL folders).

Ace

Brian McGrew · Guest

Quote:

If you are getting 'recursion not available, that could indicate you've
disabled recursion under the Advanced tab in DNS properties. Was that
disabled?
-----

Recursion was NOT disabled. I am not using the 4.2.2.2 and 4.2.2.3
forwarders.

Quote:

If TCP (set vc option) is working, it may indicate a UDP 53 block somewhere.
This is indicative of the slow response without it, because it tries UDP
first, then TCP, so the time delay would make sense.

Check your routers, too. If you are not using forwarding (which I suggest),
then it means DNS is using the Roots, and your DNS servers use EDNS0 by
default (UDP to 1280 bytes, then TCP), and if the firewall/router does not
support EDNS0, or has not been enabled, then I can understand why you are
having these issues. Check your firewall docs for more info. Also try the
forwarders I mentioned, which bypasses the Roots and directly queries to
those servers, which offloads the recursion process from your DNS servers to
the forwarders.
-----

There is no firewall in the way during testing... Normally there is but
while I'm testing, no. Besides, it's an intermittent problem.

Quote:

As for the event log errors, it would have been helpful to post the EventID#
(I'm trying to remember the eventID#), but I think you are referring to
EventID# 4004, source name = "DNS." If so, it may be indicative of the DCs'
DNS settings being misconfigured.
-----

The event log erros are a few days old. I'll watch for them again and look
them up.

-brian

Ace Fekay [MCT] · Guest

"Brian McGrew" <brian@visionpro.com> wrote in message
news:C6D6DE2B.14208%brian@visionpro.com...

Quote:

If you are getting 'recursion not available, that could indicate you've
disabled recursion under the Advanced tab in DNS properties. Was that
disabled?
-----
Recursion was NOT disabled. I am not using the 4.2.2.2 and 4.2.2.3
forwarders.

I understand you are not using Forwarders. I was merely suggesting it is a
good idea, especially using a Forwarder other than your ISP, because of your
cable ISP restrictions and "features" that they impose.

Quote:

If TCP (set vc option) is working, it may indicate a UDP 53 block
somewhere.
This is indicative of the slow response without it, because it tries UDP
first, then TCP, so the time delay would make sense.

Check your routers, too. If you are not using forwarding (which I
suggest),
then it means DNS is using the Roots, and your DNS servers use EDNS0 by
default (UDP to 1280 bytes, then TCP), and if the firewall/router does
not
support EDNS0, or has not been enabled, then I can understand why you are
having these issues. Check your firewall docs for more info. Also try the
forwarders I mentioned, which bypasses the Roots and directly queries to
those servers, which offloads the recursion process from your DNS servers
to
the forwarders.
-----
There is no firewall in the way during testing... Normally there is but
while I'm testing, no. Besides, it's an intermittent problem.

Then I am not sure about the 'intermittent' issue. Usually it works or it
doesn't. If intermittent, and the ones that do not resolve have a large
reply packet, such as some domains with large enough data beyond 512 bytes
such as hotmail, yahoo, AOL, etc, which if that is the case, it would appear
to be a UDP block issue,

Quote:

As for the event log errors, it would have been helpful to post the
EventID#
(I'm trying to remember the eventID#), but I think you are referring to
EventID# 4004, source name = "DNS." If so, it may be indicative of the
DCs'
DNS settings being misconfigured.
-----
The event log erros are a few days old. I'll watch for them again and
look
them up.

-brian

Run DNSLINT and see what you get.

Description of the DNSLint utilityMay 14, 2002 ... DNSLint is a Microsoft
Windows utility that helps you to diagnose common DNS name resolution
issues.
http://support.microsoft.com/kb/321045

How to use DNSLint to troubleshoot Active Directory replication issuesThis
article describes how to use the DNSLint utility to troubleshoot Active
Directory replication issues. The Active Directory is a distributed
database.
http://support.microsoft.com/kb/321046

I would also suggest to run the following to make sure there are not AD
issues that this intermittent issue is affecting AD, just to make sure and
rule that out:

dcdiag /v
netdiag /v

Ace